Skillset can help you prepare! Sign up for your free Skillset account and take the first steps towards your certification.
An organization has just experienced a breach. When the investigator/incident handler attempts to correlate the information in all of the logs, the sequence of many of the logged events doesn't match up or line up properly. What is likely the cause?
The attacker altered or erased events from the logs.
Proper chain of custody was not observed while collecting the logs
The breach didn't really happened. They dreamed it.
The network devices are not all synchronized
It is a common track covering technique to alter or remove logs. This is known as anti-forensics and anti-incident response techniques.
EDIT Yeah but lack of synchronisation of a much, much more likely cause!!! EDIT: this is a paranoia based question, use best judgement on your CEH exam.
For what it's worth: As staff, I've participated in forensic incident response for a large public university. Every time our team had logs that did not correlate properly it was due to the threat actor erasing logs. Never had an issue like this due to network sync issue. EDIT: Also, if there was a sync issue, the sequence of logs would be unaffected: "A" happened, then "B" happened, then "C". It's all there, just not with accurate time stamps.
Train with Skillset and pass your certification exam. Faster. Guaranteed.
Study thousands of practice questions that organized by skills and ranked by difficulty.
Create a tailored training plan based on the knowledge you already possess.
Know when you’re ready for the high-stakes exam. Have the confidence that you will pass on your first attempt.